This was implemented previously in #647 but the functionality seems to have stopped working.
Sharing the report which came in from the bug bounty program:
While conducting my research I discovered that the application failed to invalidate the session after password change from profile settings. In this scenario changing the password doesn’t destroy the other sessions logged in with old passwords.
Go to Firefox and Update any information, information will be updated *If the attacker login with Firefox and the user knows his password is stolen so even user changes their password, his account remains insecure and the attacker has full access to the victim's account.
If the attacker has a user password and logs in different places, As other sessions are not destroyed, the attacker will still be logged in to your account even after changing the password, cause his session is still active. A malicious actor can completely access your account till that session expires! So, your account remains insecure even after the change of the password.
This was implemented previously in #647 but the functionality seems to have stopped working.
Sharing the report which came in from the bug bounty program: